1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
(c) Matteo Corti, ETH Zurich, 2007-2012
(c) Matteo Corti, 2007-2019
see AUTHORS for the complete list of contributors
# check_ssl_cert
A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
## Usage
```
Usage: check_ssl_cert -H host [OPTIONS]
Arguments:
-H,--host host server
Options:
-A,--noauth ignore authority warnings (expiration only)
--altnames matches the pattern specified in -n with alternate
names too
-C,--clientcert path use client certificate to authenticate
--clientpass phrase set passphrase for client certificate.
-c,--critical days minimum number of days a certificate has to be valid
to issue a critical status
--curl-bin path path of the curl binary to be used
-d,--debug produces debugging output
--ecdsa cipher selection: force ECDSA authentication
-e,--email address pattern to match the email address contained in the
certificate
-f,--file file local file path (works with -H localhost only)
with -f you can not only pass a x509 certificate file
but also a certificate revocation list (CRL) to check
the validity period
--file-bin path path of the file binary to be used
--fingerprint SHA1 pattern to match the SHA1-Fingerprint
--force-perl-date force the usage of Perl for date computations
--format FORMAT format output template on success, for example
"%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
-h,--help,-? this help message
--ignore-exp ignore expiration date
--ignore-ocsp do not check revocation with OCSP
--ignore-sig-alg do not check if the certificate was signed with SHA1
or MD5
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
-i,--issuer issuer pattern to match the issuer of the certificate
--issuer-cert-cache dir directory where to store issuer certificates cache
-L,--check-ssl-labs grade SSL Labs assessment
(please check https://www.ssllabs.com/about/terms.html)
--check-ssl-labs-warn-grade SSL-Labs grade on which to warn
--long-output list append the specified comma separated (no spaces) list
of attributes to the plugin output on additional lines
Valid attributes are:
enddate, startdate, subject, issuer, modulus,
serial, hash, email, ocsp_uri and fingerprint.
'all' will include all the available attributes.
-n,--cn name pattern to match the CN of the certificate (can be
specified multiple times)
--no_ssl2 disable SSL version 2
--no_ssl3 disable SSL version 3
--no_tls1 disable TLS version 1
--no_tls1_1 disable TLS version 1.1
--no_tls1_2 disable TLS version 1.2
-N,--host-cn match CN with the host name
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{http|smtp|pop3|pop3s|imap|imaps|ftp|xmpp|irc|ldap}
http: default
smtp,pop3,imap,imaps,ftp,ldap: switch to TLS
-s,--selfsigned allows self-signed certificates
--serial serialnum pattern to match the serial number
--sni name sets the TLS SNI (Server Name Indication) extension
in the ClientHello message to 'name'
--ssl2 forces SSL version 2
--ssl3 forces SSL version 3
--require-ocsp-stapling require OCSP stapling
--require-san require the presence of a Subject Alternative Name
extension
-r,--rootcert path root certificate or directory to be used for
certificate validation
--rootcert-dir path root directory to be used for certificate validation
--rootcert-file path root certificate to be used for certificate validation
--rsa cipher selection: force RSA authentication
--temp dir directory where to store the temporary files
--terse terse output
-t,--timeout seconds timeout after the specified time
(defaults to 15 seconds)
--tls1 force TLS version 1
--tls1_1 force TLS version 1.1
--tls1_2 force TLS version 1.2
--tls1_3 force TLS version 1.3
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
to issue a warning status
--xmpphost name specifies the host for the 'to' attribute of the stream element
Deprecated options:
--days days minimum number of days a certificate has to be valid
(see --critical and --warning)
--ocsp check revocation via OCSP
-S,--ssl version force SSL version (2,3)
(see: --ssl2 or --ssl3)
```
## Expect
check_ssl_cert requires 'expect' to enable timeouts. If expect is not
present on your system timeouts will be disabled.
See: http://en.wikipedia.org/wiki/Expect
## Virtual servers
check_ssl_client supports the servername TLS extension in ClientHello
if the installed openssl version provides it. This is needed if you
are checking a machine with virtual hosts.
## SSL Labs
If `-L` or `--check-ssl-labs` are specified the plugin will check the
cached status using the SSL Labs Assessment API (see
https://www.ssllabs.com/about/terms.html).
The plugin will ask for a cached result (maximum age 1 day) to avoid
to many checks. The first time you issue the check you could therefore
get an outdated result.
## Notes
The root certificate corresponding to the checked certificate must be
available to openssl or specified with the `-r cabundle` or
`--rootcert cabundle` option, where cabundle is either a file for `-CAfile`
or a directory for `-CApath`.
On macOS the root certificates bundle is stored in the Keychain and
openssl will complain with:
```
verification error: unable to get local issuer certificate
```
The bundle can be extracted with:
```
$ sudo security find-certificate -a \
-p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
```
and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
```
./check_ssl_cert -H www.google.com -r ./cabundle.crt
```
## Bugs
The timeout is applied to each action involving a download.
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
|
